Hello I have found some entries in event log saying, that someone has been trying to connect to our clients terminal server running Win 2008 R2 Std. x64 about hundred times from 3AM to 4AM. I would like to know, if there is any way of finding out the attacker`s IP and then blocking it in firewall or something like that. thank you for your responses Jakub

You need to enable failed logons audit as follows: http://technet.microsoft.com/en-us/library/cc747507(WS.10).aspx After that in the Security event log you will find failed logon entries. Search for events with Logntype = 10. Event will contains source client IP address.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hello I have found 3 attackers were trying to get access to the server. There were several hundreds of failed logins from one ip and after couple of hours the same thing with another ip. So I would like to set my system to block any ip which reaches the limit of 5 failed logins and puts it to some blacklist. Is there any way of doing that please ? thanks Jakub